1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
|
======================
Installing Passwd H5
======================
:Contact: horde@lists.horde.org
.. contents:: Contents
.. section-numbering::
This document contains instructions for installing the Passwd Password
Changing application on your system.
For information on the capabilities and features of Passwd, see the file
README_.
Prerequisites
=============
To function properly, Passwd **requires** the following:
1. A working Horde installation.
Passwd runs within the `Horde Application Framework`_, a set of common tools
for web applications written in PHP. You must install Horde before
installing Passwd.
.. Important:: Passwd H5 requires version 5.0+ of the Horde Framework -
earlier versions of Horde will **not** work.
.. Important:: Be sure to have completed all of the steps in the
`horde/docs/INSTALL`_ file for the Horde Framework before
installing Passwd. Many of Passwd's prerequisites are also
Horde prerequisites. Additionally, many of Passwd's optional
features are configured via the Horde install.
.. _`Horde Application Framework`: http://www.horde.org/apps/horde
2. The following PHP capabilities, depending on the drivers you want use:
a. Character Type support ``--enable-ctype``
b. LDAP support ``--with-ldap`` [OPTIONAL]
LDAP support is required for the kolab, ldap, and smbldap drivers.
c. Hash support [OPTIONAL]
Hash support is necessary for the smbldap driver. See `LDAP
Implementation Information`_ for details.
d. Mcrypt support ``--with-mcrypt`` [OPTIONAL]
Mcrypt support is necessary for the smbldap driver. See `LDAP
Implementation Information`_ for details.
e. SOAP support ``--enable-soap`` [OPTIONAL]
SOAP support is necessary for the soap driver.
3. The following PEAR modules:
(See `horde/docs/INSTALL`_ for instructions on installing PEAR modules)
.. Important:: If you are going to install Passwd the recommended way,
i.e. using the PEAR installer, you can skip the remainder of
this section. Installing Passwd through PEAR will
automatically download and install all required PEAR modules.
a. Crypt_CHAP [OPTIONAL]
Passwd uses this package to encrypt passwords for the smbldap driver.
The following items might be required, depending on the drivers you want to
use:
1. A poppassd server installed, running, and working on a system.
2. An LDAP server installed, running, and working for authentication.
3. A working smbpasswd program on the web server. It can access a remote
server, but the smbpasswd binary must be installed on the local system.
4. A working SQL authentication system.
5. Expect installed, and access to telnet or ssh to the machine where
passwords are stored/set (could be localhost).
6. A SOAP service endpoint.
Installing Passwd
===================
The **RECOMMENDED** way to install Passwd is using the PEAR installer.
Alternatively, if you want to run the latest development code or get the
latest not yet released fixes, you can install Passwd from Git.
Installing with PEAR
~~~~~~~~~~~~~~~~~~~~
First follow the instructions in `horde/docs/INSTALL`_ to prepare a PEAR
environment for Horde and install the Horde Framework.
When installing Passwd through PEAR now, the installer will automatically
install any dependencies of Passwd too. If you want to install Passwd with all
optional dependencies, but without the binary PECL packages that need to be
compiled, specify both the ``-a`` and the ``-B`` flag::
pear install -a -B horde/passwd
By default, only the required dependencies will be installed::
pear install horde/passwd
If you want to install Passwd even with all binary dependencies, you need to
remove the ``-B`` flag. Please note that this might also try to install PHP
extensions through PECL that might need further configuration or activation in
your PHP configuration::
pear install -a horde/passwd
Installing from Git
~~~~~~~~~~~~~~~~~~~
See http://www.horde.org/source/git.php
Configuring Passwd
====================
1. Configuring Passwd
You must login to Horde as a Horde Administrator to finish the
configuration of Passwd. Use the Horde ``Administration`` menu item to get
to the administration page, and then click on the ``Configuration`` icon to
get the configuration page. Select ``Password`` from the selection list of
applications. Fill in or change any configuration values as needed. When
done click on ``Generate Password Configuration`` to generate the
``conf.php`` file. If your web server doesn't have write permissions to
the Passwd configuration directory or file, it will not be able to write
the file. In this case, go back to ``Configuration`` and choose one of the
other methods to create the configuration file ``passwd/config/conf.php``.
Documentation on the format and purpose of the other configuration files in
the ``config/`` directory can be found in each file. You may create
``*.local.php`` versions of these files if you wish to customize Passwd's
appearance and behavior. See the header of the configuration files for
details and examples. The defaults will be correct for most sites.
2. Testing Passwd
Once you have configured Passwd, bring up the included test page in your
Web browser to ensure that all necessary prerequisites have been met. See
the `horde/docs/INSTALL`_ document for further details on Horde test
scripts. If you installed Passwd as described above, the URL to the test
page would be::
http://your-server/horde/test.php?app=passwd
Security considerations
=======================
.. Note:: Some drivers like poppassd always use clear text password
transmissions. Others may also use clear text passwords (e.g. the
expect script driver using telnet rather than ssh). This can be
considered somewhat safe if the server is on the same machine, there
are no user interactive logins allowed on that machine, and the
connection uses the loopback (localhost) interface. It is up to the
administrator to evaluate the security implications of using this
module, and to understand the security implications of how their
server and this module is configured.
.. Note:: Setting this module to allow guest access might also be considered a
security risk. By default, guest access is disabled. It is up to
the administrator to evaluate the security implications of using
this module with guest access if they choose to do so.
Poppassd Server Software
========================
The following are some links that users have submitted. No warrenty is made
for the following links or any software obtained from then. These are all
user submitted links, and have not been tested or verified. Use these links
are your own risk!
* http://www.ceti.com.pl/~kravietz/prog.html
* http://www.samera.net/rpm/
* http://netwinsite.com/poppassd/
* http://echelon.pl/pubs/poppassd-1.8.1.tar.gz
LDAP Implementation Information
===============================
The module includes support for changing LDAP stored passwords.
LDAP can store passwords in multiple ways, namely:
a. Plain text passwords
b. SHA encrypted passwords
c. SSHA encrypted passwords
d. Crypt encrypted passwords
e. MD5 encrypted passwords (using base64 encoding - md5-base64)
f. SMD5 encrypted passwords
The smbldap extension require the php hash and mcrypt extensions. To enable
these you must compile php with ``--with-mcrypt[=DIR]`` and **without** the
``--disable-hash`` parameters. ``DIR`` is the mcrypt install directory.
Crypt cannot handle passwords longer than eight characters (it accepts them
but truncates them at 8 characters). If you want to use longer passwords, you
may use SHA.
The user must be able to authenticate to the LDAP directory and change his own
password now (we no longer do root access to LDAP). This assumes that the
LDAP administrator has allowed everyone to write their own password, something
like::
access to attribute=userPassword
by self write
by anonymous auth
by * none
SQL Implementation Information
==============================
The module includes support for changing passwords stored in a SQL database.
The SQL driver is similar to the LDAP driver except that it also supports MD5
encryption using hex encoding (md5-hex). If you created your passwords using
the PHP md5() function then use md5-hex.
Smbpasswd Implementation Information
====================================
To use this module, you must pass the address of your Samba domain controller
on which to change the password. This can be "localhost" for the server that
Horde runs on. The remote system name may be passed as the NETBIOS name, the
DNS name, or the IP address of the SMB/CIFS server to connect to. The
username is run through ``escapeshellcmd()``, so any usernames with strange
characters ($, &, etc) may not work. I'm not sure if any of these are even
valid for SMB/CIFS authentication, but if so, they may not work in this
module.
.. Note:: If changing a Windows NT Domain password the remote machine
specified must be the Primary Domain Controller for the domain
(Backup Domain Controllers only have a read-only copy of the user
account database and will not allow the password change).
Since smbpasswd works in client-server mode communicating with a local smbd
for a non-root user, the smbd daemon must be running for this to work. A
common problem is to add a restriction to the hosts that may access the smbd
running on the local machine by specifying a allow hosts or deny hosts entry
in the ``smb.conf`` file and neglecting to allow "localhost" access to the
smbd.
In addition, the smbpasswd command is only useful if Samba has been set up to
use encrypted passwords.
Expect Script Information
=========================
This code allows users to change their passwords via an expect script. The
module requires the expect program and a telnet or ssh program. You may need
to change some of the expect patterns in ``passwd-expect`` such as the
``badpassword_string`` or ``success_string`` (as only two examples).
For security reasons, it is generally suggested to use ssh rather than telnet
for the transport, if possible.
Expect PECL Information
=======================
This code allows users to change their passwords via the PHP PECL expect
extension. It requires the PECL expect extension and a ssh program.
You can find the extension on http://pecl.php.net/package/expect
Obtaining Support
=================
If you encounter problems with Passwd, help is available!
The Horde Frequently Asked Questions List (FAQ), available on the Web at
http://wiki.horde.org/FAQ
The Horde Project runs a number of mailing lists, for individual applications
and for issues relating to the project as a whole. Information, archives, and
subscription information can be found at
http://www.horde.org/community/mail
Lastly, Horde developers, contributors and users may also be found on IRC,
on the channel #horde on the Freenode Network (irc.freenode.net).
Please keep in mind that Passwd is free software written by volunteers. For
information on reasonable support expectations, please read
http://www.horde.org/community/support
Thanks for using Passwd!
The Passwd team
.. _README: README
.. _`horde/docs/INSTALL`: ../../horde/docs/INSTALL
.. _`horde/docs/TRANSLATIONS`: ../../horde/docs/TRANSLATIONS
|
